s4-rodc: Fix provision warnings by creating ntds objectGUID in provision

Stefan (metze) Metzmacher metze at samba.org
Tue May 11 02:35:31 MDT 2010 

Anatoliy Atanasov schrieb:
> ----- Original Message -----
>> From: Stefan (metze) Metzmacher <metze at samba.org>
>> To: Anatoliy Atanasov <anatoliy.atanasov at postpath.com>
>> Cc: abartlet at samba.org <abartlet at samba.org>, samba-technical at lists.samba.org <samba-technical at lists.samba.org>
>> Sent: Tuesday, May 11, 2010 11:08:20 AM (GMT+02:00) Athens, Bucharest, Istanbul
>> Subject: Re: s4-rodc: Fix provision warnings by creating ntds objectGUID in provision
> 
>>> Anatoliy Atanasov schrieb:
>>> Hi Andrew,
>>>>> On Mon, 2010-05-10 at 09:26 -0500, Anatoliy Atanasov wrote:
>>>>> The branch, master has been updated
>>>>>        via  658dac9... v2 Latest enhancements in ldapcmp tool
>>>>>        via  c3cbb84... s4-rodc: Fix provision warnings by creating 
>>>> ntds objectGUID in provision
>>>>>       from  8373606... s3-rpcclient: fix two more invalid 
>> typecasts 
>>>> in spoolss commands.
>>>>> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
>>>>>
>>>>> commit c3cbb846d0bfbaa11fd255bada7fa5fe502d4d96
>>>>> Author: Anatoliy Atanasov <anatoliy.atanasov at postpath.com>
>>>>> Date:   Mon May 10 13:52:27 2010 +0300
>>>>>
>>>>>     s4-rodc: Fix provision warnings by creating ntds objectGUID in 
>>>> provision
>> -----------------------------------------------------------------------
>>
>>>>> Summary of changes:
>>>>>  source4/dsdb/pydsdb.c                       |   23 ++
>>>>>  source4/scripting/devel/ldapcmp             |  402 
>>>> +++++++++++++++++----------
>>>>>  source4/scripting/python/samba/provision.py |    6 +-
>>>>>  source4/scripting/python/samba/samdb.py     |    4 +
>>>>>  4 files changed, 294 insertions(+), 141 deletions(-)
>>>>>
>>>> Anatoliy,
>>>>
>>>> This patch is incorrect, and dangerous.
>>>>
>>>> As far as I can see from the full patch, you set a GUID into the 
>>>> opaque,
>>>> but never actually make any effort to actually make it match the 
>> GUID
>>>> that will be stored in LDB.
>>> Right, i misunderstood metze's suggestion to copy 
>> samdb.set_invocation_id 
>>> and do the same with objectGUID
>>>
>>>> If the ultimate question that is causing this warning is 'am I an 
>>>> RODC',
>>>> then set an opaque for that.  If it is some other question, then 
>> make 
>>>> a
>>>> cache for that other question.  But you can't set an opaque value
>>>> caching an objectGUID unless you also make efforts to ensure that
>>>> objectGUID is what is actually used.  However, given that we can't
>>>> easily set an objectGUID on LDAP backends, I've generally preferred 
>> to
>>>> avoid this practice.
>>> If i understood creating object guid during provision is bad idea, 
>> right?
>>> The thing is that I need it in samdb_rodc, where i switched from 
>> using invocationID to objectGUID.
>>> To answer amIRODC i need the NTDS entry for our server from the db 
>> and read the msDS-isRODC attribute, which is constructed btw.
>>> Are there other options to do that, but using objectGUID to get the 
>> NTDS settings?
>>
>> My suggestion was to have a 'samsb.set_is_rodc()' cached value similar
>> to samdb.set_invocation_id().
>>
>> This way the provision can preset this value.
> I can't do that, because we use msDS-isRODC constructed attribute to decide if we are rodc.

you can:-)

we some thing like this:
http://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=1b1e2c7913097213a99ef74b90654e13b56775c4

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100511/67de2f13/attachment.pgp>

More information about the samba-technical mailing list